开发者

how to invalidate session in jsf 2.0 if browser get closed without being invalidating the current session.

if i close my browser without invalidating the session then i don't want it to access my application without being log-in again.

and don't want my user to ge开发者_如何学Pythont assess to the restricted user pages by using back button.

how can i do this in JSF 2.0?


how to invalidate session in jsf 2.0 if browser get closed without being invalidating the current session.

You can't do this programmatically in a reliable manner. The session will however automatically expire after 30 minutes. If you open a new browser, then a new session will be created and the previous session won't be accessible anymore.


and don't want my user to get assess to the restricted user pages by using back button.

You need to instruct the browser to not cache those restricted user pages. You can do this by creating a filter which is mapped on an URL pattern which covers those pages and does the following job in doFilter() method:

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    HttpServletRequest httpReq = (HttpServletRequest) request;
    HttpServletResponse httpRes = (HttpServletResponse) response;

    if (!httpReq.getRequestURI().startsWith(httpReq.getContextPath() + ResourceHandler.RESOURCE_IDENTIFIER)) { // Skip JSF resources (CSS/JS/Images/etc)
        httpRes.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
        httpRes.setHeader("Pragma", "no-cache"); // HTTP 1.0.
        httpRes.setDateHeader("Expires", 0); // Proxies.
    }

    chain.doFilter(request, response);
}

This way the browser is forced to send a full HTTP request everytime instead of showing the page from the browser cache.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜